If the last few years are any indication, cybercriminals will continue adopting new tactics and techniques to find ways past our network defenses, and that was on display in full force at RSA Conference earlier this month, where cybersecurity experts shared what they’re seeing in the wild. The annual cybersecurity conference was held at a pivotal time in the cybersecurity space, as tensions between nation states and a kinetic war between Russia and Ukraine have been preluded by large-scale cyberattacks.
The ongoing conflict between Russia and Ukraine is the first large-scale example of a nation state preluding a military invasion with devastating cyberattacks against its enemy, with Ukraine being hit with destructive malware and wipers before it was invaded by its larger neighbor, says John Fokker, principal engineer and head of cyber investigations for Trellix Threat Labs, a sponsor of the conference.
In addition to the continued prevalence of ransomware and software supply chain compromises, the sophisticated attacks that have become part of nation states’ war strategies is most alarming to Fokker, who sat down with TechDecisions for an interview after the show.
Fokker says network defenders elsewhere should prepare for similar kinds of attacks as the cyber stage becomes another battlefront of modern warfare, and as ransomware groups and nation states begin to learn from one another. Russia has long been known to be a safe haven for ransomware groups as long as they target Russia’s adversaries, and the Conti ransomware leaks exposed some of that working relationship.
“If you as a foreign actor want to deploy a more disruptive way of spreading malware, you can actually learn from ransomware actors if you want to deploy a wiper across a network, because they’ve honed their skills in penetrating a network from A-to-Z in the shortest amount of time in the last few years,” Fokker says.
Fokkers comments are in addition to a panel session that has been featured at RSA each year on the five most dangerous new attack techniques. Featuring cybersecurity experts, the session detailed how threat actors are using cloud infrastructure to conduct attacks, compromising backups, leveraging spyware and worms, and how nation states are turning their attention to large-scale cyberattacks targeting satellites.
The panelists discussed the prevalence of cloud infrastructure and its rising use by threat actors to blend into victim infrastructure and avoid detection, the need to securely backup systems, the lingering threat of worms, mobile device security and the rising use of spyware like Pegasus and new cyberattacks being conducted on the international stage.
Trellix researchers have seen the same thing play out in Eastern Europe, with cyberattacks ranging from tried-and-true methods like phishing and exploiting vulnerabilities to backdoors and destructive malware.
The company published a report earlier this month detailing some of these attacks, including phishing campaigns that impersonated the country’s Ministry of Defense and cybersecurity agency. However, it was the wipers deployed by Russian nation-state groups that got a considerable amount of attention earlier this year.
According to Trellix Threat Labs’ report, the company observed a threat actor attempt to deploy a wiper on a victim’s network, but the wiper, dubbed WhisperGate, failed to execute. However, it took the group only two-and-a-half hours to deploy another wiper, this time HermeticWiper.
Fokker urges organizations, cybersecurity experts and IT professionals—especially those working for organizations that could be targets for nation-state actors—to pay close attention to what’s happening on the international stage.
“Make no mistake—if you have an (advanced persistent threat actor) as a potential threat to your organization, you should take very close notice of what is going on right now,” Fokker says. “From a threat intelligence perspective, I think we’re at a very pivotal moment.”
According to the threat intelligence expert, the Russia-Ukraine conflict is the first time in history where a superpower launched cyberattacks and followed it up with a kinetic invasion.
“History is being written as we speak,” Fokker says.